Symmetric and Asymmetric Ciphers: A comparison

A cipher refers to a secret or disguised way of writing. The context in which it is used here is in reference to cryptographic algorithms and protocols.A Cryptographic cipher/protocol refers to a pair of algorithms to convert plaintext (data we wish to obfuscate) to ciphertext (the data in a form which doesn’t reveal its original content) and vice-versa. And it is important to keep in mind that all cryptographic protocols are vulnerable to brute force attacks (with the exception of few ciphers like one-time pad which are impractical to use) and that the security of the algorithm is based on the computational hardness or in-feasibility of attacking the cipher with a brute force approach. Cryptographic systems can be broadly divided into two families which, as the title suggests, are:

Symmetric Ciphers

Asymmetric Ciphers

Let’s look at Symmetric Ciphers first. Early encryption was restricted to government/military usage and hence most of the focus was on preventing the code/algo from being broken. We’ll see later why a different class of cryptography (asymmetric cipher) was needed. Symmetric ciphers were given the name due to the common feature of all the ciphers in this family, namely the same key being used for encryption and decryption of messages by both end nodes. Hence from the point of view of the end nodes, the cryptographic system, which consists of the encryption algorithm, the decryption algorithm and the key to be used are identical in any communication scenario between the two nodes for a given session. Data encrypted using an encryption algorithm and a corresponding key can only be decrypted using the corresponding algorithm and the exact same key. The computational hardness of the design makes guessing the exact key used, an improbability. Given the above information let’s try and imagine a scenario where this system is insufficient.

Let’s assume that some eavesdropper has taken control of all traffic moving in and out of our computer system. Since storing keys for every end node is an inefficient solution (the number of client nodes would be limited to the number of keys and storing the data of the end node and the associated key poses other risks), most applications work by issuing a per session key. For example, imagine a scenario where you wish to make use of a net banking facility and the server sends a key for you to encrypt all your data so eavesdroppers don’t get your credentials. This is fine except for the scenario where the eavesdropper listening to your network notices the server’s message sending you the key. Since you, the client node, and the server had not decided on a encryption key prior to the session, the key must be sent in cleartext. The eavesdropper can then simply replace the key the server sent you with one he wants you to use. Since you have no idea the message was modified, you assume that the key the server sent you is the one you received. To prevent random brute force, the application requires you to encrypt say for eg. your account number to make sure you aren’t accessing the services randomly. You use the key you received to encrypt your account number and send it to the server. The eavesdropper then decrypts the message using the key he sent you, re-encrypts the data with the key the server sent to make it seem to both the client and the server that the communication has no issues. This situation is named the key distribution problem, i.e. applications in which the cryptographic key is to be distributed during the session cannot make use of symmetric key encryption.An associated problem is the number of keys required. Since ideally every communicating pair in the system should have a unique key, the number of keys becomes proportional to the square of the total number of nodes (nC2, or equivalently the total number of edges in a completely connected graph of n nodes). These are the main issues to solve which, asymmetric key ciphers were invented. Before coming to whether this means that the symmetric family of ciphers are not useful anymore, it would be germane to take a look at asymmetric ciphers first.

Asymmetric key ciphers, also called public key ciphers, work with two keys per end node, a public key and a private key. As is pretty self-explanatory, the public key is known to all nodes that wish to communicate with the given node and the private key is known only to the node under consideration. The main theory behind the pair of keys is that, if encryption is performed with one key of the pair, the other is the only way to decrypt the data. Also implicitly understood is the fact that knowledge of one key of the pair, along with the ciphertext and even algorithm is insufficient to figure out the other key of the pair. The exact concept has multiple approaches each requiring an explanation of its own. So just assume that the previous properties are satisfied in a black box manner for now.So how does this solve the issues with symmetric key encryption? Firstly, let us look at the issue of the eavesdropper. Assuming that the banking server is made aware of your public key by means of a database or the first contact message you send to it, the server can encrypt the session key with your public key, i.e. the key you sent it. Since you never made your private key public, the message cannot be decrypted or modified by the eavesdropper. Repudiation issues can also be resolved by the use of public and private keys by both communicating nodes. Messages are sent to the other node by encrypting the messages using the other node’s public key and then your private key (or vice versa). Since only your public key can decrypt the message, it proves that the message was in fact sent by you. To make sure no other eavesdropper used your public key to modify the message, the first step, which was to encrypt the message using the destination’s public key, comes into play. Since only the destination node is aware of the private key, modification concerns too have been addressed. By the previous logic, it is also pretty obvious that the number of keys required for completely isolated (security wise) communication between n nodes is directly proportional to the number of nodes.

From the previous paragraph the advantages of asymmetric key ciphers over symmetric key ciphers are obvious, does this mean that symmetric key ciphers are redundant in today’s world? The answer is no. The disadvantages of asymmetric key ciphers is that encryption and decryption is based on computations that require more processing or resources, basically increasing the time (delay). Another issue is the need of an infrastructure for the distribution of unique key pairs, finding and maintaining information about which, is an issue by itself. The issue is important because there exist popular symmetric encryption algorithms that work faster than any asymmetric cipher present currently. Hence the choice between the families of ciphers becomes one of an issue between speed and the need for repudiation etc. Hence symmetric ciphers are still widely used in cases where the key needn’t be transmitted during the session. For eg, encryption of files on your hard drive etc. And based on the math and computation behind symmetric and asymmetric ciphers there doesn’t seem to be a time in the near future where symmetric keys lose their use or importance.